2013-10-31 – Windows Azure Active Directory

Just another WordPress site

2013-10-31 – Windows Azure Active Directory

um for those who don’t know me I’m mom I’m new no I’m Portuguese living in London um so I really liked the clouds that’s the only thing i can tell you i also already spend six months in belgium in 2001 i spent six months in in brussels and i said how can people live with all that those clouds and everything then I moved to London so don’t remind me come on so I’m director of clusters for DD Europe and I’m also Windows Azure MVP so I hang around with all these guys normally in events which is quite fun we always behave we’re alive right okay we always behave we always get the windows azure into the very high points sometimes higher than others so the goal here and that Martin spoke to me about was out do you want to come and share a little bit of what you what you’ve learned and I sent a couple of sessions and he said can you do too okay so one is Windows Azure Active Directory the other one is real-time data management how many of you have used Windows Azure ad how many of you know what ad is ok so in Windows Azure ad i can add the machine to my domain right right or not no so that was one of the first questions we got to witness a ideal cool can we have machines they may know it’s none of the main controller hold on it’s a it’s a it’s the directory part it’s not the main controller part so let’s let’s see a little bit of what is the windows azure ad uh and then let’s go to a couple of functionalities like access control service directory graph multi-factor authentication which is really really interesting and then go to tent administration and our libraries and then a couple of scenarios thinking of okay i have my own premise ad I now want to use Windows Azure ad or want to put some some applications in the cloud how do I share what I have on premise because on one single sign-on so what are the options why can I do okay so as you all know Microsoft is doing a cloud OS approach have you heard that term while the West cloud OS basically means that they want to create one area so one set of tools that will work cloud and on-premise mapi sim level of capability it’s not there yet it’s getting there so this means that in the public level they have office 365 private eye of Microsoft Office not the same thing similar functionalities yes but this is a shared environment so I can’t have this exact same thing windows server windows azure system center actually we have similar things in in tune when it grows up I’m still still a baby it’s growing up there is a lot of things you can do with system center have you tried System Center monitoring cloud services for example everybody loved it right was one of the most painful experience in my life just a part of oh I now want to monitor my custom performance counter I had to go to 2007 create the the the monitor and then get it back in important 2012 so it’s not there yet for infrastructure as a service perfect everything in system center works there so there are a lot of similarities and the goal is to create common technologies that go in between in order to connect both of that so this is Microsoft approach and the goal is what if we could provide a way in the cloud to get when the to get the normal to the rectory so the norm all that stuff in the cloud and even okay someone is sending tweets it’s good because we we get um that thing doesn’t turn it off

by the way so in a way that when we create a ed what happens what’s the protocol that we use for the ad it’s a very proven protocol right ldap very proven that works brilliantly in the in the internet right actually is a piece of crap when it goes to the Internet they told me I could swear so how much is the profound count on me what’s my budget ok ok so we have held app doesn’t work too well in the internet so we needed to have something which is more internet friendly what if we could get this and for example have rests 8 yards what if we could go and have the flexibility we have in in social like Facebook or something United to go and do a graph API understand who are my friends who are the friends of my friends and things like that wouldn’t that be cool so that is what Windows Ector Windows Azure Active Directory is it’s basically Active Directory the directory part as a service in the cloud with the morning modern internet providers so we’re talking about restful api s we’re talking about graph api is also in order to provide me a way to interact with it without ldap but with something which is really simple like any other service does that make sense if it doesn’t throw me something or better so Martin no no no no no so the goal is wearing age that I am my own premise stuff by ad and suddenly a customer comes and say oh I want to start to get my applications in the cloud okay we do a web application we ship it up into a cloud service every life’s good everything is good then suddenly they come and say oh I know I have office 365 can we share the same identity okay we can oh by the way I have active directory on Prem can i sync it yes hey well we’ll tweak it oh by the way I have some customers that have google IDs and Yahoo’s and things like that can i open can I use them to please please and so this is where the problem starts again in have too many dependencies live ID facebook nope Microsoft account sorry Google Yahoo office 365 what’s what’s the identity provider for office 365 you guys know organizational account what’s the organizational account windows azure ad it was from the start when it was bpos it wasn’t actually windows azure a B then with the new one it came windows azure ad without the fancy api’s and then defends the api’s came so it’s the exact same thing so when people tells Oh windows azure ad is not proven yet I know maybe it is with the amount of customers that is in office 365 okay and everybody got migrated from bpos to office 365 there is a lot of user stomach so it’s already proven maybe the API is you can say that but the functional itself it’s proven so the active directory has a continuum it depends on the level of abstraction and the cost-effectiveness that you want so Oh I want to control everything I’m a control freak you know anybody that is a little bit of control freak I wasn’t unit customer once then we were talking about Windows Azure as usual and suddenly I explain okay windows azure will help you provision new machines will help you better ultimate your system and it goes he starts looks at me weird it looks like to check and it was what and the guy goes in in this company I’m a sure I was okay so you’re the control freak type okay so control freak back you control everything yes scalable hi available you do it yourself if you like it yes perfect if you want to do oh I want my active directory but I’m used to my active directory with my domain controller also i want to create my my

domain but i want to add my machines to the main i want to manage the group policies all that stuff that i have any ad i still need a little bit of control but i want to get more cost-effective so I go to active directory in the cloud so basically what I do is I put this in a vm and basically open the endpoints and from there on I have active directory in a more cost-effective way but there is nothing like platform as a service where i actually go use it like windows azure ad in that case i have self-provisioning management scale into my needs and its fault tolerant and it’s as a service I don’t need two new anything other than provisioning and managing all the hardware and all the stuff forget about but only if I don’t need the group policy spark and all that stuff and that’s what you’re seeing to move a little bit too in tune when you might manage your devices where you want it hard to manage a little bit of the services make sense so continuum either you get control or abstraction so right now most of the companies will go here essentially they go into windows at windows azure ad when they want for example oh I want to extend that for example to my web applications my website and basically they start to have the two is on a vm their own is or even their own I as on Prem and do a direct racine with windows azure ad in order to create more scalability for example to put multi-factor authentication for phones and things like that so this is interesting for all types of company enterprises medium-sized companies small business in delivering the several different application enterprise application on the centralized policy in order to go through potentially I’m talking about ad in the vm if I’m talking about the small business normally they want I just wanted them thing to work and then Windows Azure ad will be good enough this is a little bit of the other timelines so the most important one so GA and then you see that there are more and more drops coming and now it’s almost every two weeks that something is coming around this this is the power of the cloud this is also something that should be in here which is the power and the availability the speed of the availability of new new features which is completely different from here so what about the functionalities what what does it do so we have most important part we have 11 area which is the windows azure ad access control service I love this thing we actually try we got a internally on the distribution this we were trying to get the biggest Twitter handle made and this one one one of the biggest I don’t remember the one or not I think there was one pretty close also but I don’t think I can say so basically windows azure ad access control service what is this who remembers this one acs so the ability for me to have basically this is a federation gateway I can go register my identity providers from those identified errs I can actually have my applications go and connect to it so for example I can go to my phone and say register with this ACS and it will bring up a page where I could choose Google or Microsoft account or something else and also that’s in the authentication part in the authorization part it’s a claim based service so I could actually do authorization based on claims it’s still there it’s part of the ad now the directory part ability for me to create the directory create users it’s a cloud-based identity store again it’s not the domain controller is an identity store then you’ll see that the windows azure ad is growing like in in blocks new building blocks acs for social connection directory for identity store

graph api in order to provide a better protocol in a way for me to work up the the multi-factor authentication in order to provide better authentication because more and more our clients are talking to us and say hey yes perfect user and password is great but i now need something else i need something more i need them to receive for example a code in their phone and n go from there so this is this is what’s being built and this was was built by acquiring a company microsoft acquired company in order to do this and then authentication library because yeah the api’s are really good and calling restful api is is really good but having a wrapper around it to make it simple it’s even better so Isis control service what it is plain based authentication federated the authorization service basically provides you the way to to basically have several different identity providers that you can configure is knocking your app your app Trust is a CS ACS is the one that has trust with a lot of different that into providers so this is the gateway that is going to tell you oh I want to authenticate against Google I go to Google pass it to token and the token gets gets authenticated have a trust between the two so the the goal of this was to build this kind of challenges so I want the user to be able to come from ad Microsoft account Facebook account or any other thing this was the goal so this was the problem statement that they CS was here to solve so create something in the mill that will provide that capability so this was at the end so if my application trusts ACS and then ACS has a trust with all the others this will solve my issue what’s the other issue that comes this sends a token which is not the same as this one about the same as Facebook not the same as yahoo or any other thing all of them are different so what does that mean for my application do I need to build it in a way that understands all those tokens know basically other than the Federation gateway also it builds a transformation so I transform my crazy different tokens that I receive into one that will be my token for my app all my apps that register again this ACS will get the exact same token independently of what they come from so there is a token transformation here this way my appt only knows this token doesn’t know anything else doesn’t need to write the other part is the directory service let me change here into the directory service so if i go to manage windows azure and if this stops jumping around and actually do something so you have you probably saw that in the last few days there was a change in the portal right so basically the change is that now you have the ability to when you go to subscriptions you have a lot of different directories so until now everything was done with a Microsoft account I can now have also the organizational accounts and by default when I get one he actually creates one directory for me and all the users get the pendant to that and the other interesting thing is that I can actually move if I don’t want all those so one for subscription I can actually or third account what i can do is change from one to the other right so i can have here now i can see based on my several identities which where is which so this is this is one of my my accounts so fly

okay don’t apply so the Active Directory when I go another new thing is the ability that came with for me to create multiple active directories windows a 3ds in the same subscription which until now was until a couple of months back it was really cool because imagine you have you are managing your customers subscriptions and everything they had with you was really cool when you first test it windows azure ad he said new at every need the name was I don’t care block and hit it and suddenly you look at it and it was the most interesting thing because it was appeared like subscription shared by all the subscriptions which is really cool because now I couldn’t delete it and i already use all my customers subscriptions and they didn’t couldn’t even use active directory now in their subscriptions so it was really cool was a really cool feature so finally that was solved yay um there was actually a technique to work around that because that was actually a sign to the Microsoft account he used so you could actually create multiple if you change Microsoft accounts but that was a trick wasn’t ideal so in the active directory you have of course your access control namespaces course you already know this one and the directory so I can go and say I want a new directory and it’s as easy as create a edge as you be a test demo yeah sounds like I’m in Belgium pretty sure so we create the Navy so what this is going to to give us is the ability now I can actually use I can create users on top first thing it does is okay there is a new directory service let me add your your user that isn’t going to log on into here and make it an administrator of this directory service because or else we couldn’t do anything with it another is actually define some applications so create applications that will be not only applications that will leverage this but also applications they want to use graph API and things like that so if i want what i can do is go to users I say okay I want to have a user into this new organization let me call it test and let’s say which is our the user herb and and its role which rolled one NDA create a temporary password now I have a temporary password what do I do with this so I can also go to login dot microsoft online phone calm and I can actually may not use this one not to destroy my own things and and now i can use tasks at a sherbet as you be test demo right yay i’m here so i have a user it’s a normal user one of the things which is if i actually knew where my damn phone was um I could actually text my phone so one of the things that we can do is actually leverage leverage another thing which is change and say I want to know provide multi-factor authentication which is unclear capability so access

denied come on I’m pretty sure I’m the owner of this crap oh this feature is nice let’s try again I’m still as you know she’s good you always got new things when you try to demo it so you go here this one users for row crop and want to do this I want to give access to my account that’s a cool new one so administrators at me which I if I go since this is Ford subscription if I go now hopefully this will work where’s ed so ed shared so users let me put that user as go Bodmin anything else save ok so we go there now let let me have this as administrator from my own account either as you be test demo that no tests at should be just a moment on microsoft com or interesting name gonna be special I’m glad this is being recorded can we send that life to the team saying up yeah I don’t know this new feature doesn’t look right hey Victor we have a new thing for you this drop the sword thank you okay so you can’t imagine that that thing works um will thank Victoria so the directory service is basically providing you with the users the capability of creating users which our users or global administrators and then of course it doesn’t provide you with the ability to connect machines it’s not the domain controller but you can actually connect both so another thing is the graph API so you know like email down you have a lot of tools or if you really like that much held app you can do it on my end feel free and you can actually create you can actually query everything that it’s out there so the graph API is going to provide you exactly the same thing so the graph API when you create an active directory in the cloud so one of the things that you create is actually say I have users and I now have an application have an application that I want to register here so I can can actually do this for for the new one from scratch so I want to add an implication my application is going to be called anything particular as your be tests it’s a it’s a web application or a web app I ok which type are you going to be using so azure be test demo how’s the directory access that you are

going to provide is it only single sign-on am I going to only provide identity to this or do I only want to single sign-on n have read write or do i want to write also i also want to write okay so what it does it creates my my application so i have my application and now what do I do with this have my application registered perfect does this help me I now want to create very dumb so let me change here you all read very well hopefully now you probably do so basically what i’m going to tell is my application principle which is my client ID of my directory service so a way for me to to say this is the ID that i’m going to use in order to interact with you know as your be test demo on microsoft com so this is the tenant the windows azure ad tenant that i’m going to be using and now i have here a password which i also required to use so let’s go here oh I don’t have a key so basically I can generate the key I have two options either one or two years duration and now when I save it I’m actually going to view this key one thing here is you better say this key somewhere yes this is the first and last time you are seeing so I now go go to my application put in there and it’s good yeah you saved everything yeah so good um no I’m just telling that because if now I saved it I go somewhere else when I go back oh I have a key I have a key you tell jokes about blondes yes I have a key these stars are stars are I know your key so you go now in what this very stupid application does it has a couple of controllers one is my user controller so my user controller which is basically going to my directory service creating query into my users so it goes because the query just like a link weary and it provides me a way to simply go and ultimate with this so if i run this what I’m going to see is a simple MVC application that now I can use to manage all that so I can go and see do I have groups no I don’t grab users oh no I know what the hell happened I sure I don’t even know how to write a real thing for I should be writing so go normally works better when you write to write stuff in the name ok so now what I can do is I can go and create the display name test test screening able true i can create the group I can let’s create another one this one is very good group and now i can do like searches which work very well so this is one under groups same thing i can do on user

management the only thing that i’m using here is the graph api so i don’t need to use ldap anymore so you like this one like this one so they’re saying that its external this is a way for him to say with this is a Microsoft account if its external it’s a Microsoft account so this is a way for me to go and if I go now and say here just to test two counters enable I get a password and hit it I now have a new user that if I go back I should have my new user come up at any point when the damn thing restarts and if I go into my other login shush login microsoft online test to measure as you be to demo what a stupid name it’s like so yes plus creating this is all through the graph API only so grabby i have you used like data services for so it’s an abstraction on top of all those elements so it provides you an easy way to interact with normal level directory services api’s through that this wrapper to this layer which is a graph api it’s very powerful really good it’s going in getting better and better in trying to be a an enterprise graph api similar to what Facebook Graph API can do so it’s a new enterprise social have you used the Facebook Graph API social so it’s the same concept for enterprises is bringing the enterprise the new directory services into a new level restful interfaces enterprise-ready ability to extend your your elements do searches everything without leveraging ldap which doesn’t like very well the internet so Jason odata Roth it’s what they are using ok multi-factor authentication the then thing that I you really would love to to work so basically what is this the ability for you to go legend you have a user and this user goes now and in order to authenticate I don’t only need to go and give them access and he needs to know the password but yeah also needs to put something else you need to put the security code that goes through SMS so a text message or an email for example how many of you are users of Xbox just for tests first I just do a little bit of testing every now and then and one of the things they change is they actually now start to do multi-factor authentication on the accounts so whenever you try to to play they’re going to say oh you’re logging in with this can you please tell me something like I can connect with you in order to make sure you are who you say you are so I get a text message and I put until I go into my live account and actually verify that that that machine is something I trust okay so it’s it’s basically the goal is to prove that you are who you say you are which you nowadays is more and more important you don’t want to to be I read once one article yesterday about the NSA and the ability to go inside a lot of different

encryption levels so yeah other than those you want every other people not to have access to your stuff other than those of course because you can do anything so blessed one is as your authentication library basically a developer library you can use is a new get library you can use for this let’s go to tenant administration same level so in the cloud i can use every for everything on-premise same exact thing windows are ready the only difference is in the cloud I use graph API on-premise I use ldap nothing strange in there same ability the same capacity the important part is when i go to tenant administration what if i want to do something like a my windows server ad that are now want to extend into a lie a surety what do i do and those are the scenarios it’s typical integration scenarios so imagine you have an application that is a cloud only application so you go and you say ok I want office 365 CRM or any other thing always in all of them to use my new directory service but I don’t want to insult anything for that I create my windows azure ad which will provide me my directory store will provide me my graph API if I want if I really love Baruchel which I started to to like a little bit since I started working with Windows Azure and in if I want that I will have a single authentication platform for all of them this is active directory windows after 80 no problems there so my user goes gets authenticated and I can move on from the directory synchronization I want my user on the ad on my company company network and I now have office 365 in tune all that stuff in my cloud services how can i connect to them what I can do is create there is a tool called directory sync this directory sync what it goes is connects both of them one of the things that doesn’t is send your password so it doesn’t your password is only here with the rectory same user is replicated for authentication you need to come here so this is the options I can go through directory sync which is part of the windows azure ad if i go to integration i actually have this part in order to download configuring everything if i have office 365 they have the office 365 connector which now is the exact same thing just with a different executable but it’s the exact same thing I am powershell in graph API if I have an enterprise a more enterprise approach to this then I have forefront identity management and I can also use it in order to connect both on Prem and windows azure ad so it’s already possible to leverage this because the agent that they use they are going to allow an even more powerful than this one the other one is actually say so in this case the only thing I have in there is my user nothing else I can query okay where is Sam where is Eve I have their user nothing else which show you this do they they are part of all that stuff I cannot provide single sign-on if I one single sign-on I need a DFS to in order to expose the element in order to do the sam’l authentication and then the directory thing which makes my user exists in there and now I have a trust relationship between my ad and the active directory federation services so what it does is when my user gets authenticated so I go into my login dot mark

soft online.com I go in there when I put a user which is actually here it’s a federated what it does is it receives user and password sends it to hear and only when that provides you with an okay you’re really okay so your password never goes into the cloud you don’t replicate there is only way for you to do that and that is putting an ad in Windows or VMS and actually create the authentication with a DFS then you can with the windows azure ad no okay windows azure ad only stores the password for the elements creating in there not for anything that is federated if it’s federated it’s because it’s authenticated somewhere else you’re very quiet what happened I remember Belgian but after I don’t know how many 12 years everything was different I work for some reason i worked in i worked six months with CBD and which was near 270 and we were a lot of times going to get so for some reason there it was completely different i think it was the part of the University and the beers and the spanish girls were in there but i’ll forget about that okay she knows we were working at the same company and I was I didn’t have the best of their doing saying it the vasa students who love me let’s have a good one ok so maybe FS Federation options adfs works perfect third-party sts so there are a couple of them out there that you can use in order to provide this authentication and this bridge and simply have you used Huebel a it’s really interesting during the connection between Windows Azure ad and she belay is really cool really really I wouldn’t I wouldn’t tell you to do it but it’s really cool you do it once and you think yeah now I know how they feel now I know it’s like ha yeah painful but the eight works works at the end of the day it works so the Federated authentication basically we have the directory sync we have when someone tries to connect in order to create a bell in order to create the authentication you have directory sync you have the adfs proxy in order to allow you to do the stop shouldn’t be so and you can also leverage that with entune and everything so normally you have directory sync and a DFS proxy okay it’s probably selling I’m almost out of time so integration options no integration directory sync and SSO Rose no integration everything is in the cloud awesome no servers required anything no single sign-on with on-premise of course so directory only very interesting you can query all your users all your stuff you cannot do the single sign-on why there’s no Federation so for directory and single sign-on it will actually provide you with the full capability you should always have a DFS and the adfs proxy in there the reason is because if you expose a DFS directly it’s a security problem you need to always put the proxy in in order to provide a couple of more added security measures and only communicate with what you actually should be communicating with if you open the adfs a lot of bad things can happen ackers really love that so this is in a very nutshell Windows Azure ad did that help you want to throw something on

martin beers okay so questions yeah it depends on how your configuration so but normally what it does it’s every it can be configured but it’s not immediately it’s a it through it’s a batch process you can decide when you do the directory sync you decide exactly which is the configurations you’re going to say one of them is how often is that being done normally you’d put something if it you’re not getting users every single day if it’s for example oh I’m putting this for my office 365 I’m not getting users every day probably it’s once they are you did the delay if it’s not then i will do it something something different if this from one premise when you do the directory sync configuration it’s always from on-premise on-premise starts the configuration actually one of the things that when i was doing this for an enterprise they were going through all the all the elements and monitoring all the connections and it was interesting because the only thing that is said in the documentation is that you only need outbound communication it’s not actually true because a DFS work with inbound also in order to return something so what actually when they started to probe everything all the communique they got some things back and it wasn’t working because basically it was initiating and it was sending a response in that response was being received so we couldn’t synchronize anything because he Nord synchronize you need to know what’s there and then the customer said oh what’s this happening why is this communication coming back so we had to two things one go to the to the team and ask and the other thing is go and we need to edit this part later decompile the stuff in order to understand what what was happening and basically what they are trying to do is ok I’m sending you the list of what’s there in order for me to to only throw what’s what I should what’s new when what changed ok any more questions yeah yeah you can you can customize your domains so one of the things that you have in in your is the ability for you to have a custom domain so you can then add the custom domains and map them so in order to not get it on microsoft com which is perfect reasonable way to tell everybody come on I mean ad how do you know i’m using windows azure ad I don’t know the on microsoft com potentially or the called app.net oh this is the cool application use it in windows error no I just fooled you ok questions no customize login screen right now now in acs you can nice yes you can which was really interesting because you downloaded an HTML file that you could that it could change around in this one no it’s always that pre-screen its Freddie has couple of things let me show it again it’s like I’m glad I’m not a designer because that’s login so you’re talking about this screen lovely screen yeah both of them it depends on how you get there when you go through this login microsoft com goes through the office 365 but it’s the same thing when you go to a nap eat civil one it’s the same thing you can change it you